Setting Up NFS Server with Kerberos-based Authentication for Linux Clients

NFS (Network File System) with Kerberos authentication provides a secure file sharing solution for Linux environments. This configuration ensures data integrity and authentication by requiring clients to obtain Kerberos tickets before accessing shared directories. The setup involves installing NFS and Kerberos packages, creating security principals and keytabs, configuring exports, and establishing proper firewall rules for secure communication.

Configuration Approaches

There are two primary methods for setting up NFS with Kerberos authentication:

• Automation with Configuration Management Tools Using Ansible, Puppet, or Chef for consistent deployments

• Manual Configuration Approach Step-by-step manual setup for smaller environments

Automation with Configuration Management Tools

Configuration management tools streamline NFS-Kerberos deployment through automated scripts and playbooks. These tools ensure consistent configurations across multiple servers and reduce manual errors. The automation handles package installation, Kerberos realm configuration, principal creation, and firewall rule management.

Automated Setup Steps

Install NFS Server Software

# For Ubuntu/Debian
sudo apt-get update
sudo apt-get install nfs-kernel-server

# For RHEL/CentOS
sudo yum install nfs-utils

Install Kerberos Packages

# Ubuntu/Debian
sudo apt-get install krb5-kdc krb5-admin-server

# RHEL/CentOS
sudo yum install krb5-server krb5-libs krb5-workstation

# Configure Kerberos realm
sudo nano /etc/krb5.conf

Create Kerberos Principals and Keytabs

sudo kadmin.local -q "addprinc -randkey nfs/server.domain.com"
sudo kadmin.local -q "addprinc -randkey nfs/client.domain.com"

# Generate keytabs
sudo kadmin.local -q "ktadd nfs/server.domain.com"
sudo kadmin.local -q "ktadd nfs/client.domain.com"

Configure NFS Exports

sudo nano /etc/exports
# Add export entries:
# /shared-directory client.domain.com(rw,sync,sec=krb5)

sudo exportfs -a

Enable Kerberos Authentication

sudo nano /etc/default/nfs-kernel-server
NEED_GSSD=yes

sudo nano /etc/idmapd.conf
# Set Domain = domain.com

Start NFS Services

sudo systemctl start nfs-server
sudo systemctl start rpcbind
sudo systemctl start nfs-secure
sudo systemctl enable nfs-server

Configure Firewall Rules

sudo ufw allow nfs
sudo ufw allow 2049
sudo ufw allow kerberos

Manual Configuration Approach

Manual configuration provides granular control over each step of the NFS-Kerberos setup. This approach is suitable for smaller deployments or when specific customizations are required. The process involves installing packages, configuring Kerberos authentication, creating security principals, and establishing proper export settings.

Manual Setup Process

Install Required Packages

sudo apt update
sudo apt install nfs-kernel-server krb5-user

# For RHEL/CentOS
sudo yum install nfs-utils krb5-workstation

Configure NFS Exports

sudo nano /etc/exports

# Add with Kerberos security
/path/to/shared/directory client_hostname(rw,sync,sec=krb5)

Create Kerberos Principals

sudo kadmin.local -q "addprinc -randkey nfs/server.example.com"
sudo kadmin.local -q "addprinc -randkey nfs/client.example.com"

# Generate keytabs
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/server.example.com"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/client.example.com"

Enable Kerberos for NFS

sudo nano /etc/nfs.conf

[gssd]
use-gss-proxy=1

[exportfs]
debug=0

Start Required Services

sudo systemctl start nfs-server
sudo systemctl start rpc-gssd
sudo systemctl enable nfs-server rpc-gssd

Configure Firewall

# UFW (Ubuntu)
sudo ufw allow nfs
sudo ufw allow kerberos

# FirewallD (RHEL/CentOS)
sudo firewall-cmd --permanent --add-service=nfs
sudo firewall-cmd --permanent --add-service=kerberos
sudo firewall-cmd --reload

Client Configuration

Obtain Kerberos Tickets

# Initialize Kerberos credentials
sudo kinit -kt /etc/krb5.keytab nfs/client.example.com

Mount NFS Share

sudo mount -t nfs -o sec=krb5 server.example.com:/path/to/shared/directory /mnt/nfs

Test File Operations

echo "Test file content" | sudo tee /mnt/nfs/test.txt
ls -la /mnt/nfs/

Security Considerations

Conclusion

Setting up NFS with Kerberos authentication provides a robust, secure file sharing solution for Linux environments. Whether using automated tools or manual configuration, the key components include proper Kerberos realm setup, principal creation, and secure mount options. This configuration ensures data integrity and prevents unauthorized access while maintaining efficient network file sharing capabilities.